← Legal

Privacy Policy

How Agenomic collects, uses, protects, and shares personal data.

Last updated: June 25, 2026

Agenomic is a B2B SaaS platform for AI agent governance. This policy explains, in plain language, what personal data we process, why, and the choices and rights you have. It is written to be read in layers — start with the summary in each section, and read on for detail.

Agenomic produces technical evidence and audit-ready evidence that supports compliance workflows. It does not provide legal advice or legal certification, and legal compliance requires qualified review.

1. Who we are

Company: Agenomic [legal entity — to confirm]

Registered address: [registered address — to confirm]

Privacy contact: privacy@agenomic.io

Data Protection Officer (DPO): We have not appointed a Data Protection Officer at this stage. For privacy requests, contact privacy@agenomic.io.

Supervisory authority: You may also lodge a complaint with your local data protection authority. In France, this is the CNIL.

2. Scope

This policy covers personal data processed through:

  • the agenomic.io website;
  • the Agenomic app / cloud platform;
  • the CLI and SDKs, where they connect to Agenomic Cloud;
  • the MCP Server, when connected to Agenomic Cloud;
  • and our support and sales interactions.
Customer content processed inside agent traces or evidence artifacts is mainly processed on behalf of the customer, under the customer’s instructions, unless otherwise stated.

3. Roles under the GDPR

Depending on the activity, Agenomic may act as:

  • Controller — for account, billing, website, analytics, support, security and marketing data, where we decide why and how the data is processed.
  • Processor — for customer-submitted agent data, traces, payload references, evidence artifacts and operational data processed on behalf of a customer.

For processor activities, the Data Processing Addendum governs the processing.

4. Personal data we collect

Categories of personal data we may process, with examples, source and purpose.
CategoryExamplesSourcePurpose
Account dataName, email, organization, role, login metadata.You / your organizationCreate and manage your account.
Authentication & security dataIP address, login events, device/browser metadata, audit logs.Collected automaticallyAuthenticate users and secure accounts.
Billing dataBilling contact, plan, invoices, payment metadata. We do not store full card data when payments are handled by a provider.You / payment providerBilling, invoicing and accounting.
Product usage dataWorkspace, projects, run metadata, feature usage, CLI/SDK interactions.Collected automaticallyOperate and improve the service.
Agent governance dataAgent IDs, genome metadata, policy checks, run IDs, event types, hashes, ledger verification status.You / your agentsProvide versioning, replay, audit and evidence features.
Customer content / trace dataPrompts, model outputs, tool payloads, redacted payloads, evidence artifacts — only if submitted or configured by the customer. Agenomic is designed to support hashes and redacted payloads instead of raw sensitive content.You / your agentsProcessed on your behalf to provide the service (processor role).
Support & communication dataSupport tickets, messages, feedback.YouProvide support and respond to requests.
Website analytics & cookiesPages viewed, referrer, approximate location, cookie identifiers where enabled.Collected automatically (with consent where required)Understand and improve the website.

5. Why we use personal data

Purposes of processing and the legal basis under the GDPR.
PurposeLegal basisExamples
Provide the serviceContractRun the platform you signed up for.
Authenticate users and secure accountsContract / legitimate interest / legal obligation where applicableLogin, session security, audit logging.
Operate trace, ledger, replay and evidence featuresContract; for customer content, processor under the DPARecord-keeping, replay reports, evidence packages.
Improve and monitor the serviceLegitimate interestReliability, performance, debugging.
Provide supportContract / legitimate interestAnswer tickets and questions.
Billing and accountingContract / legal obligationInvoices, tax and accounting records.
Security, fraud prevention and abuse detectionLegitimate interest / legal obligationDetect and prevent misuse.
Marketing communicationsConsent or legitimate interest, depending on jurisdiction and contextProduct updates and newsletters you can opt out of.
Legal complianceLegal obligationRespond to lawful requests and obligations.

6. Agent traces, evidence and sensitive content

Agenomic may process agent traces, run metadata, policy checks, hashes, technical logs, replay reports, metrics, compliance reports and Evidence Packages.

Customers should not send unnecessary personal data, secrets, API keys, raw prompts, raw completions, or sensitive payloads unless they are genuinely needed and covered by appropriate safeguards.

Where supported, Agenomic stores hashes, redacted payloads, references and technical metadata rather than raw content.

Please do not submit

  • API keys or secrets;
  • passwords;
  • authentication tokens;
  • unnecessary health data;
  • unnecessary financial data;
  • unnecessary special category data;
  • children’s data, unless specifically agreed and legally supported.

7. Data handling by design

Agenomic is designed to support privacy-preserving agent governance through hashes, redaction, access controls and signed technical evidence. By default, the platform is built to favour:

  • hashes over raw payloads;
  • redacted payloads over raw content;
  • object-storage references over raw content in the database;
  • no raw prompt/completion logging;
  • no secrets in traces;
  • org-scoped access;
  • configurable retention;
  • Evidence Package redaction;
  • MCP outputs redacted by default.

8. Cookies and similar technologies

We use cookies and similar technologies on our website. A full description is available in our Cookie Policy. In summary, we use:

  • strictly necessary cookies;
  • preference cookies;
  • analytics cookies;
  • marketing cookies, only if used.

Non-essential cookies are only used with your consent where required.

9. How long we keep data

Indicative retention periods. Bracketed values are placeholders to confirm before launch.
Data categoryTypical retentionNotes
Account dataFor the life of the account, then deleted or anonymized after [define retention period].Some records may be retained where legally required.
Security logs[90–365 days]Longer where needed for an active investigation.
Audit / evidence artifactsAs configured by the customer or contractCustomer controls retention for processor data.
Billing recordsAs required by accounting/tax lawStatutory retention applies.
Support messages[define retention period]Retained to provide continuity of support.
Marketing contactsUntil you unsubscribe or after an inactivity periodYou can opt out at any time.
CookiesAs described in the Cookie PolicyVaries by cookie.

10. Who receives personal data

We share personal data only as needed, with categories of recipients such as:

  • hosting providers;
  • cloud infrastructure;
  • analytics providers;
  • payment processors;
  • customer support tools;
  • email providers;
  • security and monitoring providers;
  • professional advisers;
  • authorities where legally required.

A current list of third-party processors is available on our Subprocessors page.

11. International transfers

Depending on the providers involved, data may be processed outside the European Economic Area (EEA). Where required, Agenomic uses appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism.

You can ask us about the safeguards in place for a specific transfer by contacting privacy@agenomic.io.

12. Security

We use appropriate technical and organizational measures to protect personal data, including:

  • encryption in transit;
  • encryption at rest where supported;
  • access controls and least privilege;
  • audit logs;
  • hash-based integrity verification;
  • signed evidence artifacts;
  • monitoring;
  • backups;
  • incident response.

No system can be guaranteed perfectly secure, but we work to keep our measures appropriate to the risk and to improve them over time.

13. Your rights

Subject to applicable law, you have the right to request:

  • access to your personal data;
  • rectification of inaccurate data;
  • erasure;
  • restriction of processing;
  • data portability;
  • objection to processing;
  • withdrawal of consent, where processing is based on consent;
  • to lodge a complaint with a supervisory authority.

To exercise your rights, contact privacy@agenomic.io. We may need to verify your identity before responding.

14. Automated decision-making

Agenomic does not use personal data to make legally binding automated decisions about users. If this changes, we will update this policy.

Any compliance scores or risk indicators Agenomic produces are technical product outputs for customers about their agents. They are technical evidence — they do not make legal decisions about individuals.

15. Children

Agenomic is intended for professional users and is not directed to children.

16. Changes to this policy

We may update this policy from time to time. Material changes will be notified where appropriate, and the “Last updated” date above will always reflect the current version.

Privacy Policy - Agenomic